The Domain Name System (“DNS”) is the part of the Internet infrastructure that translates human-readable domain names into the Internet Protocol (“IP”) numbers needed to establish TCP/IP communication over the Internet. DNS allows users to refer to web sites, and other resources, using easier to remember domain names, such as “www.example.com”, rather than the numeric IP addresses associated with a website, e.g., 123.4.56.78, and assigned to computers on the Internet. Each domain name can be made up of a series of character strings (e.g., labels) separated by dots. The right-most label in a domain name is known as the top-level domain (“TLD”). Examples of well-known TLDs are “com”; “net”; “org”; and the like. Each TLD supports second-level domains, listed immediately to the left of the TLD, e.g., the “example” level in “www.example.com”. Each second-level domain can include a number of third-level domains located immediately to the left of the second-level domain, e.g. the “www” level in www.example.com.
The responsibility for operating each TLD, including maintaining a registry of the second-level domains within the TLD, can be delegated to a particular organization, known as a domain name registry (“registry”). The registry is primarily responsible for answering queries for IP addresses associated with domains (“resolving”), typically through DNS servers that maintain such information in large databases, and operating its top-level domain.
In some instances, in order to obtain a domain name, that domain name is registered with a registry through a domain name registrar, an entity accredited by the Internet Corporation for Assigned Names and Numbers (ICANN) and authorized to register Internet domain names on behalf of end-users. Generally, when a domain name is registered, domain data is stored in a database that can be queried.
Domain names are registered for a wide variety of purposes. For example, domain names can be registered for legitimate uses, such as for providing services, providing information, branding, defensive registrations, and the like. Additionally, domain names can be registered to engage in malicious behavior. For example, malicious behavior may include Denial-of-Service (DoS) attacks (e.g., Distributed Denial-of-Service (DDoS) attacks), botnets (and command and control infrastructure), phishing, spam, or the like. In a DoS attack, for example, one or more requestors flood a server with an undesirably large amount of query traffic and/or abnormally complex queries. Processing these requests requires an abnormally large amount of resources and thus degrades and slows a server's ability to service legitimate requests. Accordingly, improved systems, devices, and methods for detecting domain name registrations that are registered to engage in malicious behavior and subsequently mitigating this behavior, based on the domain data, would be desirable.